Unmasked operations 'Red October'

Unmasked operations 'Red October'

 The company Kaspersky Lab 'discovered' Red October's surgery, advanced cyber espionage campaign aimed at diplomatic and government institutions around the world.

Attackers have developed a unique, highly customizable malware for stealing data and geopolitical information from computer systems, mobile phones and network equipment companies.

This campaign has primarily been directed towards the countries in Eastern Europe, the former Soviet republics and countries in Central Asia, although it is possible to find all the victims, covering western Europe and North America.

The main target of the attackers was to collect sensitive documents from disadvantaged organizations, including the geopolitical information, confidential information for access to classified computer systems, and data from personal mobile devices and network equipment.

In October 2012th team company Kaspersky Lab has launched an investigation after a series of attacks on computer networks which are aimed at international diplomatic agencies. Major cyber espionage network was discovered and analyzed during the investigation. According to the analytical report operation "Red October", shortly "Rocra," is still active as of January 2013, and lasts from 2007.

Advanced Network campaign "Red October": The attackers were still active since 2007. Despite years of research institutions, energy and nuclear power companies and aims to trade and airline industry have been directed towards the diplomatic and government agencies from various countries around the world. Attackers operation "Red October" was invented by their own malicious software, known as "Rocra," which has its unique modular architecture composed of harmful extensions, modules for the theft of information and spy Trojans.

Attackers are often used information stolen from infected networks in order to enter into new systems. For example, the stolen confidential information gathered in the list and used by gunmen who had to guess the password or phrase to access other systems.

To control a network of infected computers, attackers have created over 60 domain names and multiple locations for hosting servers in different countries, mostly in Germany and Russia. Analysis of command and control (C2) infrastructure Rocra surgery, performed by company Kaspersky Lab, shows that the chain servers actually worked as an agent for the purpose of hiding the main location of the control server.

Stolen information from infected systems include files with the extensions: txt, csv, eml, doc, VSD, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, zip, key, crt, cer, HSE, pgp, gpg, Xia, Xiu, XIS, Xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, an extension of "acid *" seems to refer to secret software "Acid Cryptofiler", used by several entities, including the European Union to NATO.

 The spread of the virus

In order to infect systems, attackers sent targeted victims fishing e-mail which included a custom program with a Trojan virus. 

To install malicious software and infect the system, damaging e-maill containing an executable codes set due to safety vulnerabilities within Microsoft Office and Microsoft Excel. 

Executive Codes of documents used in fishing e-mail created for other attackers and were used during the other cyber attacks, covering Tibetan activists, as well as military and energy sectors in Asia. Only the attackers changed in the document that is used by malicious software Rocra was built executable file, which the attackers replaced their own code.

In fact, one of the commands in the program with a Trojan virus changed the default system code page command session in 1251, which is required when using cyrillic fonts.

 Targeted victims and organizations 

Company specialists Kaspersky Lab uses two methods of analysis targets. First of all, they used statistics to detect the packet from the Kaspersky Security Network (KSN), security services based on cloud, who use the company's products Kaspersky Lab application telemetry and provide advanced protection from threats in the form of blacklists and heuristic rules.

KSN is still in 2011. revealed the executable code used in malware, which allowed the company Kaspersky Lab experts to seek similar findings regarding the operation Rocra. Another method used by the research team at Kaspersky Lab is to create a "Sinkhole" servers to be able to follow the connection of machines infected with malicious software C2 servers Rocra. Data obtained during the analyzes using both methods provide two independent ways to connect and confirm their findings.

KSN statistics: According to the data obtained from KSN statistics, several hundreds of unique infected systems, with emphasis on several embassies, government networks and organizations, scientific institutes and consulates. According to data from KSN, the majority of detected infections contained primarily in Eastern Europe, but other infections oktrivene in North America and Western European countries, such as Switzerland and Luxembourg.

Sinkhole stats: Sinkhole analysis company Kaspersky Lab has been investigated by the second November 2012th to 10 January 2013. During this period more than 55,000 connections with 250 infected IP addresses have been registered in 39 countries. Most infected IP connection was from the Swiss, followed by Kazakhstan and Greece.